Spies in Every Corner

You hear a lot about spyware these days—how it infiltrates systems, slows PCs to a crawl and opens dangerous security loopholes. So what exactly is spyware? In its narrowest definition, spyware is tracking software installed without adequate notice, consent or control of the user. That's the official definition offered by the new Anti-Spyware Coalition (ASC), a group of software and hardware vendors, academics and consumer groups that have joined forces to deal with this growing threat.

Today, most anti-spyware tools are aimed at the individual user. Microsoft Antispyware (now called Windows Defender) is a good example—it's a locally run process that is individual to each machine. If your organization has a number of PCs, though, you'll be more interested in something you can manage from a central location through specific policies. That is the focus of the solutions included in this review.

While Webroot Software did not
participate, the company takes an interesting approach to updates with its Phileas Threat Research System (PTRS). Named after Phileas Fogg, the hero in Jules Verne's Around the World in Eighty Days, PTRS is a webbot that scans Web pages around the world to identify potential threats and update its spyware definition files.

Most vendors integrate spyware research into their virus research
systems. For example, Sunbelt
Software uses ThreatNet, a world-wide network that collects threats as users identify them. Lavasoft also uses a user-based submission system through its Lavasoft Research Portal. Computer Associates backs its security products through the CA Security Advisor, which provides vulnerability and configuration research, around-the-clock monitoring and protection against malicious code, spyware
and blended threats. Like the other centers, the CA Security Advisor also maintains an online spyware threat database and provides users with free advice on how to delete malicious code and prevent infection.

Though the products reviewed here
are geared toward spyware, you may want to integrate anti-virus and anti-spyware management tools. We noted the potential of combining those two functions wherever possible. There are two schools of thought on this topic. The first integrates both functions to simplify systems management and administration. The second opts for separate tools in order to increase the potential coverage. Both are valid approaches.

Testing Environment
and Methodology
The testing environment was a
Windows-based network running
Windows Server 2003 and Windows
XP. All machines were up to date in terms of service packs, patches
and software and security updates.

We reset all test machines to a clean state before running our tests. Once we had set up each anti-spyware system, we directed the test machines to known malware sites. Then we threw several spyware programs at them to see how each of these anti-spyware packages would detect and remove the malicious code. In situations where the malware was not blocked, the goal was to see how well the protection system would remove the unwanted programs.

We used a well-known piece of spyware called MarketScore (also known as NetSetter). This one is particularly nasty since it promotes itself by claiming to accelerate Internet browsing using MarketScore's proxies to access the Internet. In reality, it provides little or no actual acceleration.

What MarketScore does is monitor and record all activity, even activity
that uses the Secure Sockets Layer (SSL) to view protected sites, such as banking or commercial sites. This means
MarketScore can capture any private data you exchange with a site. (The installation agreement does state in very small print that this tool can monitor your activity during Web browsing.)

Any tool that protected our systems from more than 95 percent of the
spyware to which the systems were exposed scored high in our book. Since all the programs in this list achieved
this level of protection, we focused on the enterprise features—features such
as installation, deployment to client
systems and remote administration. The key to malware protection is the update and installation of definition files. Any system that let you fully automate this critical function and control it from a central location was also ranked high.

eTrust Pest Patrol
Corporate EditionComputer Associates
Pest Patrol has long been a popular personal anti-spyware tool. Recently purchased by Computer Associates (CA), it is now part of the eTrust Threat Management suite. The corporate version of Pest Patrol has a central console that runs on a server and a client component. The console lets you manage client policies and distribute updated definition files. The client
can be either the full agent or a basic command-line agent.

In environments with fewer than 500 machines, you simply install the console, configure the server and then scan the clients. The data file for known pests is automatically updated during the server installation, so you'll know you're up to date. It would be nice if all the update files were combined into one download, but it is good to know the server is up to date before you start it the first time.

Once the server is properly configured, it's time to scan the clients (see Figure 1). The first time you do, the client agent is automatically installed, which makes deployment a snap. Pest Patrol uses a combination of Active Directory (AD) and network browsing to locate clients, which also simplifies the process. If your machines are already in AD, then Pest Patrol will locate them all on the first pass. If not, it gets a little more complicated, but still not a major task.

Figure 1. Pest Patrol has a simple interface with which you perform all configuration and administrative operations. (Click image to view larger version.)

According to Pest Patrol best practices, use the default agent only if you have less than 500 clients, as deployments can take a long time with more than 500 clients. In that case, you need to replace the default agent with the command-line agent. This agent isn't automatically deployed by Pest Patrol. You'll have to do it as a separate software component through another deployment tool. Also, the command-line agent is a legacy program (with an .EXE extension) and not a Windows Installer package (with the .MSI extension), so you'd
need a third-party tool like Microsoft Systems Management Server or even CA Software Delivery.

If you'd rather use Active Directory, you'll have to wrap the package into an MSI first. Whichever tool you use, make sure you actually perform this deployment before you scan any machines. The scan itself will install the default agent, and you shouldn't have both agents on the same machine.

Pest Patrol supports active scanning. This means the agent will provide
continuous scanning for any threats during system operation. To make this most effective, though, you should run an initial scan for any pests before
turning on Active Protection. That way it can remove any existing spyware before it begins to run the continuous protection, making it simpler and using fewer resources.

When it finds suspected spyware, Pest Patrol can either delete or quarantine the files. You might prefer to quarantine any detected items so you can examine them before they're deleted. You can recover any quarantined elements if you determine it isn't spyware. After a while, you might want to set the system to delete all unknown files and indicate which ones you want to keep in the exclusion list.

Another Pest Patrol best practice is to reboot your client machines on a regular basis, as some spyware isn't completely removed until you push that reset.

Pest Patrol is simple to install and operate, especially with fewer than 500 clients. With a larger network, you have two choices: move to the command-line agent or deploy multiple servers—one for each group of 500 clients. CA says the default agent works with groups larger than 500, but its performance begins to drop at that level. Also, having more than one central server defeats the purpose of having a central location for enterprise administration.

Pest Patrol identified, but could not fully remove MarketScore. For this specific instance of spyware, the CA AntiSpyware Web site recommends uninstalling either through the Add/Remove Programs component of the Control Panel or through a special command-line setting.

(Click image to view larger version.)

Ad-Aware SE EnterpriseLavasoft
The enterprise version of Ad-Aware is pretty much the same as the professional version. The only big difference between the two is the Ad-Axis central management console.

Installing and deploying Ad-Aware SE Enterprise is relatively simple. First deploy Ad-Axis on the central management server. Then deploy the Ad-Axis client component and the rest of the Ad-Aware system to your clients. All of the components are packaged for Windows Installer, so you can use Active Directory or a third-party deployment tool. The only real catch in the entire process is determining the port through which the clients and servers connect. By default, this is TCP port number 10020, so if you choose the default, make sure it is open in your firewalls so you can control client activity.

Setting up the Ad-Axis central console is a snap. Make sure the definition file is up to date by forcing an immediate update. Then, you schedule two events (see Figure 2). The first is when and how to retrieve definition files and distribute them to client systems. The second is to schedule regular scans of your systems. That's it. In fact, the entire help file for the console has no more than 13 pages.

The most interesting part of Ad-Aware is the Code Sequence Identification (CSI) technology. Unlike the CSI team you might know from television, this CSI works before the crime, proactively scanning any untoward events on your machine. CSI can go as far as to lock start-up sections of your registry, block cookies and even pop-ups. Like most anti-spyware systems, CSI relies on a definition file to identify spyware, but it can also block unknown variants by looking for the type of behavior you would expect from spyware. This is a good proactive management technique. After all, definition files are usually updated only after spyware has been identified.

If you do lock down your systems
with Ad-Aware, but still want to allow certain registry changes, you can edit rules that allow certain types of activity while protecting systems from all others.

Ad-Aware also includes a special analysis tool called Process-Watch, which lets you view running processes on any machine, scan processes for known
spyware, view the components that are associated with a process and kill or
terminate any running process. This is useful for real-time scanning.

Overall, Ad-Aware is very simple to use and deploy. It might be better if Ad-Axis and Ad-Aware Professional were more integrated for deployment purposes.

For the newcomer, it is not evident at all that you need to deploy two separate tools to get Ad-Aware Enterprise to work properly in your network.

One nice addition would be to ensure that whenever CSI stops an unknown variant, it immediately reports it to the central console and the Lavasoft Research Portal to keep better track of current spyware. For now, it seems you need to report it yourself.

Ad-Aware identified, but didn't
completely remove MarketScore. You have to manually delete all the file components to completely remove it from your systems.

CounterSpy EnterpriseSunbelt Software
Sunbelt's CounterSpy Enterprise is made up of three different components: an administration console, a management server and client agents. Once again, if you have AD, you can use it
to find clients and push the agent
from the console directly to the client systems. You could also use your own third-party delivery system to push the client agents.

Since it's so easy to do in the Administration Console, you might be better off doing it this way. Of course, you need to have the remote administration features enabled on target systems to use the console's push tool.

CounterSpy Enterprise is simple to install and deploy, as it also comes as a Windows Installer file. It also uses TCP ports for communication, but this time you have seven ports to configure. By default, it uses ports 18082 to 18089 which cover everything from agent to console communications for each of the processes CounterSpy manages. This means a lot of open ports on the firewall. Also, CounterSpy is the only anti-spyware tool that requires a reboot of the server.

CounterSpy works through policies. Define a policy on the server and the server will distribute it to all the clients. Once the policy is in place, client behavior is modified to meet the requirements of that central policy. One drawback is that the agent seems to rely exclusively on definition files made available by Sunbelt.

On the other hand, the configuration options for the rule-based policies are very powerful (see Figure 3). For example, when you enable active monitoring, you have a whole series of events you can control. These include whether or not to allow ActiveX installations, INI file mappings, browser helper objects, context menu items and so on. It's quite an extensive list, and you can set each to prompt, allow or block default actions.

Policy setup is very easy—perhaps the best of all of the products reviewed here. You only have to address each tab of the interface. You can even copy policies for situations where you only need to make a few changes. You can also use the export feature to back up policies and the import feature to restore them. This means you can create and test policies in a lab environment and then move them to a production environment in a few simple steps. This is definitely a handy feature.

CounterSpy is one of the only tools examined here that runs with a local database. The default database is Microsoft Access with all its inherent limitations, but you can modify it to run with SQL Server 2000. CounterSpy provides good protection that is easy to deploy and put in place, especially if you use the defaults. It has a nice interface that seems to give you more control than the other tools reviewed here.

CounterSpy identified and removed MarketScore. There was no trace of it left after removal. CounterSpy also offers a free download to remove this particular threat.

Anti-Spyware for SMBTrend Micro
Like the other anti-spyware tools reviewed here, Trend Micro's Anti-Spyware for SMB (small to midsized businesses) is a client-server application. It relies on a database to store
status information and other data, and requires a Web server to run since the interface is completely Web-based. Given that it is designed to run exclusively on Windows, it is odd that neither the database nor the Web server come from Microsoft.

Instead of using the Microsoft SQL Server Desktop Engine (MSDE), Anti-Spyware for SMB uses MySQL. Instead of using Internet Information Services (IIS), Anti-Spyware for SMB installs an Apache Web server—even if IIS is already present on your system. This could be a major hurdle in shops that exclusively run Windows or Microsoft software.

(Click image to view larger version.)

Despite this unusual combination, installation is easy. Installing the server is the first step. The database and Apache server install in the background without prompts to the user. One thing to note is that the account under which Anti-Spyware for SMB runs requires domain administrator privileges, which is also a bit unusual. Anti-Spyware runs on port 8088 by default, but you can change this. One good thing is that it only requires you to open a single port in the firewall.

Trend Micro's Anti-Spyware is made up of several components, including the Web Console, which feeds off of the database, and the Web service that runs on a server. The Server Agent manages definition updates and reports to the Trend Micro Spyware Research Center when it finds new spyware. This agent also manages all communications with client agents.

The Client Agent is the component that actually cleans and protects systems. This includes a couple of sub-components. The first is Venus Spy Trap, which actively monitors and protects systems based on the definition file made available by the server. The second is the CWShredder. This is designed specifically to remove variants of the CoolWebSearch spyware threat.

Deploying agents is quite easy—just configure the agent policy to automatically install the agent upon discovery of a new machine (see Figure 4). You can do this through the default (Global_Default) or by creating a new policy for specific groups of machines. Once you've defined a policy, you just need to monitor events and make sure that definition files are up to date. You can also install agents through an MSI with AD or a third-party deployment tool. Like the others, this tool is simple to use and set up. Whether it will fit into your Windows network depends on the standards and strategies you have in place.

Figure 4. You deploy and administer Trend Micro’s Anti-Spyware for SMB primarily from a single screen. Set it to automatic deployment, make sure any exclusions are set up in a separate screen and you’re done. (Click image to view larger version.)

Trend Micro Anti-Spyware was able to identify, but not automatically remove MarketScore. You need to follow a specific procedure to fully remove it, which involves killing all processes that have been detected by Anti-Spyware, then running Anti-Spyware again to finish removal.

Spy vs. Spy
All of these tools provide competent anti-spyware protection. None of the four are integrated within any anti-virus suites. Of course, you could see that as an advantage because it lets you use a best of breed anti-spyware tool, regardless of which anti-virus software you're currently using. However, a fully integrated product using the same agent and definition files might be
easier to administer.

The least expensive is Trend Micro's, but in our opinion it has drawbacks for Windows-centric shops. Sunbelt's CounterSpy has the most complete configuration interface of the four. CA's Pest Patrol also does a great
job of simplifying installation and configuration and keeping administration activities straightforward.

However, it is mostly the scanning and protection engine you're after. All of these products did a good job detecting and removing spyware in any category, but the proactive scanning engine that impressed us most is Lavasoft's. Of the four, it is the only one that includes active scanning for unknown threats. CSI can actually lock the start up sections of the registry and protect you from items that aren't necessarily in a definition file. That seems like a major bonus for anyone interested in full and complete spyware protection.

The real issue with spyware is unauthorized software installations. If the desktop is locked down and the user is operating the workstation in user-only mode with no administrative rights, then you shouldn't have much of a spyware problem.

So how has spyware become the number one problem in malware? One answer is that many organizations treat Windows XP like Windows 98 and give their users local administrator rights. If you continue to use this type of policy, you'll never see the end of the spyware problem.